Mehmet Ergene’s Tweets

Jan 27

Want to detect Cobalt Strike or ALL beacons? I've added data size scoring and improved the score calculations to reduce false negatives. Still, there are some false negative possibilities. I'll work on them next. Stay tuned! #ThreatHunting #DFIR

GitHub - Cyb3r-Monk/RITA-J: Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter...

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm. - GitHub - Cyb3r-Monk/RITA-J: Implementation of RITA (Real Intelligence Threat Analy...

245

Mar 25

I spent my free time doing research, learning, etc. during the COVID. It was extremely fun, satisfying, and exhausting. Now, I started focusing on myself more. I'm probably not going to keep the same pace and I don't care. Life is not all about infosec&work.

There will always be someone crushing it, developing new stuff constantly. I ask myself: Do I want to be like one of them? Is it going to make me happy? The answer is: I don't care if I fall behind. It's OK to be in the 10% instead of 1%, as long as I'm happy with myself.

"Your time is way too valuable to be wasting on people who can't accept who you are. Don’t sacrifice yourself too much for you cannot make everyone happy. If you want to achieve anything, learn how to love yourself first." (you can modify this for infosec)

I'd been feeling similar recently until I realized it wasn't a responsibility. From Feynman: "You have no responsibility to live up to what other people think you ought to accomplish. I have no responsibility to be like they expect me to be. It's their mistake, not my failing."

Quote Tweet

SwiftOnSecurity

@SwiftOnSecurity

· Mar 24

I'll be honest, I panic about all the stuff I don't know in my field and that I'm falling further behind all the time. All these people crushing it, developing new stuff constantly, and I feel guilty not working or researching.

Show this thread

Replying to

As a follow-on to

's exceptional work: windowsir.blogspot.com/2022/03/window

Topics to follow

Carousel

Mar 23

Why are tools and threat groups are on the same list? I used to see them as separate categories, what has changed? #ThreatIntelligence

Mar 23

If you are investigating an incident/doing forensics, you DO NOT detect anything. You find, discover, uncover, etc. I don't think "detection" is a suitable word for DFIR. #ThreatHunting #DFIR

Mar 22

Many people will become identity access management experts in one day.

Mar 22

Can someone explain how an SSO provider can be abused in case of such compromise? I mean, what can you do after gaining access to mentioned portals/accounts? How can a customer be affected by it? Don't you need the customer employees' credentials for abuse? #Okta #OktaBreach

Lapsus$ hackers leak 37GB of Microsoft's alleged source code

Mar 22

It's raining hacks and breaches. #LAPSUS #Microsoft #Okta

bleepingcomputer.com

The Lapsus$ hacking group claims to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft's internal Azure DevOps server.

Mar 21

The most important thing in agile is the people. You need to convince them, make their life easy. 9/9

iii) If your tooling supports, create and use CI/CD pipelines for managing detection engineering work. This way, you have a single source of truth, 4-eye principles, reporting/dashboarding your work to the management level, etc. 8/9

8. Here is an example of how you can implement agile on the technical/process level using Azure DevOps: i) Use Scrum or Kanban boards for task tracking ii) Use Azure Repos for your documentation(Wiki, etc.) Using a repo for documentation makes it easy to migrate/integrate 7/9

7. Consider how you can collaborate with Threat Intelligence, Red team, and others that are outside the SOC in an agile way. If you're dependent on a team that has a different way of working, good luck. You need to align with them in your agile process. 6/9

SOC Analyst -> Threat Hunting / Detection Engineering (false positive feedback, etc.). It's best to analyze the relations between TH/DE/IR, etc. first, and then set up the teams accordingly. 5/9

6. When you create separate teams and define each of them as products(TH/DE/IR/etc.), you create isolation between teams. Avoid damaging the collaboration. In SOC, several things are tied together: Data source onboarding -> threat hunting -> detection engineering. 4/9

4. Listen to your employees. Agile is a mindset, not a tool. If employees are not happy with it, you have a big problem that can result in high turnover 5. Avoid hiring a scrum master/PO who doesn't have a security background. It's a huge risk, especially for your whole team 3/9

1. DO NOT copy-paste from the agile. NEVER EVER. 2. FIRST assess your way of working, then analyze which agile method(and which parts) are the most suitable. 3. Sprints aren't for threat hunting. It 'might' apply to detection engineering, depending on how you define it. 2/9

If done correctly, it is pretty effective. Having worked in an agile way for the last 2 years, here is some personal opinion 🧵: 1/9 #agile #threathunting #detectionengineering #soc

Quote Tweet

Adam

@Hexacorn

· Mar 13

1M question: What does 'going agile' in a cyber context mean? How do you turn your CERT/SOC/DE/TH/TI/RT function 'agile'?

Show this thread

Andrew D. Huberman, Ph.D.

@hubermanlab

Mar 20

It’s easy to establish science supported, genuinely health promoting, zero-cost habits if we do them in combination: e.g., outdoor walks/Zone2 cardio in the morning (30min) done nasal breathing only, w/sunlight, followed by cold shower or plunge (2-5min). Total time: 35min.

317

2,772

Mar 19

I think we are all gatekeepers. It's just some of us keep all the gates, some of us keep some gates. It doesn't necessarily happen consciously. Most likely, it's unconscious. #NoteToSelf

Mar 19

Hi SIEM/XDR/EDR vendors, Wouldn't it be great to embed jupyter into your Web UIs? Could be a game changer in a SOC. #threathunting #DFIR #jupyter

Quote Tweet

Jeremy Tuloup

@jtpio

· Mar 15

Embedding Jupyter Everywhere

blog.jupyter.org/jupyter-everyw

Mar 17

Last day at work. I'll get some rest and start a new&different chapter in my career. It's going to be quite a big change for me.🤞

Mar 16

Automated Incident Response and Forensics Framework from AWS #DFIR

GitHub - awslabs/aws-automated-incident-response-and-forensics

Contribute to awslabs/aws-automated-incident-response-and-forensics development by creating an account on GitHub.

123

335

Mar 15

🔥🔥🔥🔥🔥

Quote Tweet

VirusTotal

@virustotal

· Mar 15

Meet VT4Browsers++, our browser extension to enrich all IOCs in any website you visit. Read all details here: blog.virustotal.com/2022/03/vt4bro

Mar 13

Shouldn't we say "security controls" instead of "automated detection systems" and consider SOC analysts as a security control as well? Shouldn't we hunt through the alerts if they are not picked up by SOC analysts? 3/3

Some TTPs can have high fidelity/severity and some have low fidelity/severity. Low ones may have a high false positive rate in many cases and most of the time they may not be picked up because of alert volume. 2/3

Question(or "going back to principals" exercise): #ThreatHunting is proactively and iteratively searching systems for threats that evade detection by automated threat detection systems. What if the threats are detected but the alerts are skipped/not analyzed by SOC analysts? 1/3

Speaking of stolen certificates, If you have ASR configured, you can find rare files that don't have valid signatures or with specific signatures. Prevalence is one of the most useful methods for hunting. #Lapsus #ThreatHunting #MicrosoftDefender #DFIR

Threat-Hunting-and-Detection/ASR Rare and Untrusted Executables.md at main · Cyb3r-Monk/Threat-Hu...

Repository for threat hunting and detection queries, tools, etc. - Threat-Hunting-and-Detection/ASR Rare and Untrusted Executables.md at main · Cyb3r-Monk/Threat-Hunting-and-Detection

Lee Holmes

@Lee_Holmes

Mar 9

Had a great question from

@alexandair

on whether it was possible to combine the multi-part PowerShell Script Block logs using KQL / Sentinel / Log Analytics directly. Indeed it is! gist.github.com/LeeHolmes/c5f9

Bypassing EDR real-time injection detection logic

@N4k3dTurtl3

Mar 9

I've spent the last couple months doing extensive dev/testing to achieve shellcode injection in a remote process against a couple of top tier EDRs. I've learned a lot but I really can't overstate the value of the *concepts* presented in this blog post:

blog.redbluepurple.io

230

494

This can be quite useful for Live Response in Defender for Endpoint. Since MDE doesn't support YARA, running it manually during live response sounds interesting. #ThreatHunting #DFIR #YARA

GitHub - BinaryDefense/YaraMemoryScanner: Simple PowerShell script to enable process scanning with...

Simple PowerShell script to enable process scanning with Yara. - GitHub - BinaryDefense/YaraMemoryScanner: Simple PowerShell script to enable process scanning with Yara.

214

Taking Your Detection Program to the Next Level | SANS Cyber Defense...

Mar 8

Still one of the best presentations I've watched so far. It's just 20 minutes, highly recommended. If I have a product, I don't like/want to create basic detections that should already be done by the vendor that I'm paying.

@jaredcatkinson

#ThreatHunting

youtube.com

We’ve gotten really good at collecting piles of data. Our customers send us plenty of it and they think every event from every device is being monitored. Are...

112

👀👀

Google to Acquire Mandiant

Mandiant has entered into a definitive agreement to be acquired by Google.

Mar 8

Just imagine doing your DFIR investigations with this. #DFIR

Quote Tweet

Matt Zorich

@reprise_99

· Mar 8

Not sure if this got enough love when it was announced, but you should 100% sign up to the free Azure Data Explorer instance - aka.ms/kustofree. 100 GB of storage, load up whatever data you want (csv, json, txt) and go ham with it

Show this thread

Detecting Kerberos Relaying Attacks

Mar 6

I've included the analysis of

@_dirkjan

's krbrelayx and added detection queries both for krbrelayx and

@cube0x0

's KrbRelay. #ThreatHunting #DFIR #MicrosoftSentinel #MicrosoftDefender #Kerberos

posts.bluraven.io

Detecting Kerberos relaying attacks published by cube0x0 (KrbRelay) and by Dirk-jan (krbrelayx)

122

Fabian Bader

@fabian_bader

Mar 4

Query #MDE for all file events related to #NVIDIA cert leak. DeviceFileCertificateInfo | where CertificateSerialNumber in ("43bb437d609866286dd839e1d00309f5","14781bc862e8dc503a559346f5dcc518") | join kind=rightsemi DeviceFileEvents on SHA1 | sort by Timestamp

Show this thread